Totolink T8 Firmware vulnerabilities

CVE-2023-24157 [CRITICAL] CWE-77 CVE-2023-24157: A command injection vulnerability in the serverIp parameter in the function updateWifiInfo of TOTOLI A command injection vulnerability in the serverIp parameter in the function updateWifiInfo of TOTOLINK T8 V4.1.5cu allows attackers to execute arbitrary commands via a crafted MQTT packet.

CVE-2023-24152 [CRITICAL] CWE-77 CVE-2023-24152: A command injection vulnerability in the serverIp parameter in the function meshSlaveUpdate of TOTOL A command injection vulnerability in the serverIp parameter in the function meshSlaveUpdate of TOTOLINK T8 V4.1.5cu allows attackers to execute arbitrary commands via a crafted MQTT packet.

CVE-2023-24155 [CRITICAL] CWE-798 CVE-2023-24155: TOTOLINK T8 V4.1.5cu was discovered to contain a hard code password for the telnet service which is TOTOLINK T8 V4.1.5cu was discovered to contain a hard code password for the telnet service which is stored in the component /web_cste/cgi-bin/product.ini.

CVE-2023-24151 [CRITICAL] CWE-77 CVE-2023-24151: A command injection vulnerability in the ip parameter in the function recvSlaveCloudCheckStatus of T A command injection vulnerability in the ip parameter in the function recvSlaveCloudCheckStatus of TOTOLINK T8 V4.1.5cu allows attackers to execute arbitrary commands via a crafted MQTT packet.

CVE-2023-24153 [CRITICAL] CWE-77 CVE-2023-24153: A command injection vulnerability in the version parameter in the function recvSlaveCloudCheckStatus A command injection vulnerability in the version parameter in the function recvSlaveCloudCheckStatus of TOTOLINK T8 V4.1.5cu allows attackers to execute arbitrary commands via a crafted MQTT packet.

CVE-2023-24154 [CRITICAL] CWE-77 CVE-2023-24154: TOTOLINK T8 V4.1.5cu was discovered to contain a command injection vulnerability via the slaveIpList TOTOLINK T8 V4.1.5cu was discovered to contain a command injection vulnerability via the slaveIpList parameter in the function setUpgradeFW.